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Abstract — The McEliece public-key encryption scheme has 
become an interesting alternative to cryptosystems based on 
number-theoretical problems. Differently from RSA and ElGa- 
mal, McEliece PKC is not known to be broken by a quantum 
computer. Moreover, even tough McEliece PKC has a relatively 
big key size, encryption and decryption operations are rather 
efficient. In spite of all the recent results in coding theory based 
cryptosystems, to the date, there are no constructions secure 
against chosen ciphertext attacks in the standard model - the de 
facto security notion for public-key cryptosystems. 

In this work, we show the first construction of a McEliece 
based public-key cryptosystem secure against chosen ciphertext 
attacks in the standard model. Our construction is inspired by 
a recently proposed technique by Rosen and Segev. 

Index Terms — Public-key encryption, CCA2 security, McEliece 
assumptions, standard model 



I. Introduction 

Indistinguishability of messages under adaptive chosen ci- 
phertext attacks is one of the strongest known notions of 
security for public-key encryption schemes (PKE). Many 
computational assumptions have been used in the literature 
for obtaining cryptosystems meeting such a strong security 
notion. Given one-way trapdoor permutations, we know how 
to obtain CCA2 security from any semantically secure public- 
key cryptosystem (27], |34|. [23 1 ■ Efficient constructions are 
also known based on number-theoretic assumptions [9| or on 
identity based encryption schemes (6). Obtaining a CCA2 
secure cryptosystem (even an inefficient one) based on the 
McEliece assumptions in the standard model has been an open 
problem in this area for quite a while. We note, however, 
that secure schemes in the random oracle model have been 
proposed in |fl9l . 

Recently, Rosen and Segev proposed an elegant and simple 
new computational assumption for obtaining CCA2 secure 
PKEs: correlated products Il33l . They provided constructions 
of correlated products based on the existence of certain lossy 
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trapdoor functions [29] which in turn can be based on the 
decisional Diffie-Hellman problem and on Paillier's decisional 
residuosity problem [29 1. 

In this paper, we show that ideas similar to those of Rosen 
and Segev can be applied for obtaining an efficient construc- 
tion of a CCA2 secure PKE built upon the McEliece assump- 
tion. Inspired by the definition of correlated products [33], 
we define a new kind of PKE called fc-repetition CPA secure 
cryptosystem and provide an adaptation of the construction 
proposed in ll33l to this new scenario. Such cryptosystems can 
be constructed from very weak (one-way CPA secure) PKEs 
and randomized encoding functions. In contrast, Rosen and 
Segev give a more general, however less efficient, construction 
of correlated secure trapdoor functions from lossy trapdoor 
functions. We show directly that a randomized version of the 
McEliece cryptosystem |28| is fc -repetition CPA secure and 
obtain a CCA2 secure scheme in the standard model. The 
resulting cryptosystem encrypts many bits as opposed to the 
single-bit PKE obtained in 1 33 ] . We expand the public and 
secret-keys and the ciphertext by a factor of k when compared 
to the original McEliece PKE. 

In a concurrent and independent work |[T6) . Goldwasser 
and Vaikuntanathan proposed a new CCA2 secure public -key 
encryption scheme based on lattices using the construction by 
Rosen and Segev. Their scheme assumed that the problem of 
learning with errors (LWE) is hard [32]. 

A direct construction of correlated products based on 
McEliece and Niederreiter PKEs has been obtained by Per- 
sichetti [ 30 1 in a subsequent work. 



II. PRELIMINARIES 



A. Notation 



If x is a string, then |x| denotes its length, while |5| 
represents the cardinality of a set S. If n € N then 1™ denotes 
the string of n ones, s <— S denotes the operation of choosing 
an element s of a set S uniformly at random, w A(x, y, . . .) 
represents the act of running the algorithm A with inputs 
x, y, . . . and producing output w. We write w <— A°(x, y, . . .) 
for representing an algorithm A having access to an oracle O. 
We denote by Pr[E] the probability that the event E occurs. If 
a and b are two strings of bits or two matrices, we denote by 
a\b their concatenation. The transpose of a matrix M is M T . 
If a and b are two strings of bits, we denote by (a, b) their dot 
product modulo 2 and by a © b their bitwise XOR. U n is an 
oracle that returns an uniformly random element of {0, 1}™. 

We use the notion of randomized encoding-function for 
functions E that take an input m and random coins s and 
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output a randomized representation E(m; s) from which m can 
be recovered using a decoding-function D. We will use such 
randomized encoding-functions to make messages entropic or 
unguessable. 



B. Public-Key Encryption Schemes 

A Public-Key Encryption Scheme (PKE) is defined as 
follows: 

Definition 1: (Public-Key Encryption). A public-key en- 
cryption scheme is a triplet of algorithms (Gen, Enc, Dec) 
such that: 

• Gen is a probabilistic polynomial-time key generation 
algorithm which takes as input a security parameter 
1" and outputs a public-key pk and a secret-key sk. 
The public-key specifies the message space M and the 
ciphertext space C. 

• Enc is a (possibly) probabilistic polynomial-time encryp- 
tion algorithm which receives as input a public -key pk, 
a message m £ M and random coins r, and outputs 
a ciphertext c G C. We write Enc(pk, m;r) to indicate 
explicitly that the random coins r are used and Enc(pk, m) 
if fresh random coins are used. 

« Dec is a deterministic polynomial-time decryption algo- 
rithm which takes as input a secret-key sk and a ciphertext 
c, and outputs either a message m G M or an error 
symbol JL. 

• (Completeness) For any pair of public and secret-keys 
generated by Gen and any message m G M it holds 
that Dec(sk, Enc(pk, m; r)) = m with overwhelming 
probability over the randomness used by Gen and the 
random coins r used by Enc. 

A basic security notion for public-key encryption schemes is 
One-Wayness under chosen-plaintext attacks (OW-CPA). This 
notion states that every PPT-adversary A, given a public-key 
pk and a ciphertext c of a uniformly chosen message m G Ai, 
has only negligible probability of recovering the message m 
(The probability runs over the random coins used to generate 
the public and secret-keys, the choice of m and the coins of 
A). 

Below we define the standard security notions for public- 
key encryption schemes, namely, indistinguishability against 
chosen-plaintext attacks (IND-CPA) lfT31 and against adaptive 
chosen-ciphertext attacks (IND-CCA2) [31 1. Our game defini- 
tion follows the approach of ifTTl . 

Definition 2: (IND-CPA security). To a two-stage adversary 
A = (Ai,A2) against PKE we associate the following 
experiment. 



Ex Pp P KE,^(«) : 



(pk.sk) <- Gen(l") 

(m°, m 1 , state) .Ai(pk) s.t. |m 

b ^{0,1} 

c* <- Enc(pk, m b ) 

b' <- A2(c* , state) 

If b = b' return 1, else return 0. 



Adv p P KE,ytW = 



Pr 



Ex PpKE„a00 = 1 



We say that PKE is indistinguishable against chosen- 
plaintext attacks (IND-CPA) if for all probabilistic polynomial- 
time (PPT) adversaries A = (Ai,A2) the advantage of A in 
the above experiment is a negligible function of n. 

Definition 3: (IND-CCA2 security). To a two-stage adver- 
sary A = (A%,A2) against PKE we associate the following 
experiment. 



Exp c P C KE%(n): 

(pk,sk) <- Gen(l") 

(m°,m 1 ,state)^A° ec{sk '' ) (pk) s.t. 

& ^ {0,1} 

c* <- Enc(pk, m b ) 

b' ^A% ec(sk ' \c*, state) 

If b = b' return 1, else return 0. 



The adversary A2 is not allowed to query Dec(sk, • ) with 
c*. We define the advantage of A in the experiment as 



Adv PKE 2 ,4M = 



Pr [Expp C K a E %(n) = l] - 



We define the advantage of A in the experiment as 



We say that PKE is indistinguishable against adaptive 
chosen-ciphertext attacks (IND-CCA2) if for all probabilistic 
polynomial-time (PPT) adversaries A = (Ai,A2) that make 
a polynomial number of oracle queries the advantage of A in 
the experiment is a negligible function of n. 

C. McEliece Cryptosystem 

In this Section we define the basic McEliece cryptosys- 
tem [25], following [36] and 11281 . Let T n ,t be a family of 
binary linear error-correcting codes given by two parameters 
n and t. Each code C G T n ,t has code length n and minimum 
distance greater than 2i. We further assume that there exists 
an efficient probabilistic algorithm Generate nt that samples 
a code C G J- n ,t represented by a generator-matrix Gc of 
dimensions I x n together with an efficient decoding procedure 
Decodec that can correct up to t errors. 

The McEliece PKE consists of a triplet of probabilistic 
algorithms (GenMcE, EncMcE, DecMcE) such that: 

• The probabilistic polynomial-time key generation 
algorithm GenMcE, computes (Gc, Decodec) ^ — 
Generate nt (), sets pk = Gc and sk = Decodec an d 
outputs (pk, sk). 

• The probabilistic polynomial-time encryption algorithm 
EncMcE, takes the public-key pk = Gc and a plaintext 
m G F2 as input and outputs a ciphertext c = mGp © 
e, where e G {0, 1}" is a random vector of Hamming- 
weight t. 

• The deterministic polynomial-time decryption algorithm 
DecMcE, takes the secret-key sk = Decodec and a 
ciphertext c G F£, computes m = Decodec (c) and 
outputs m. 

This basic variant of the McEliece cryptosystem is OW- 
CPA secure (for a proof see ll36l Proposition 3.1), given 
that matrices Gc generated by Generate,^ are pseudorandom 



3 



(Assumption |4] below) and decoding random linear codes is 
hard when the noise vector has hamming weight t. 

There exist several optimization for the basic scheme, 
mainly improving the size of the public -key. Biswas and 
Sendrier show that the public generator-matrix G can be 
reduced to row echelon form, reducing the size of the public- 
key from I ■ n to I ■ (n — I) bits. However, we cannot adopt this 
optimization into our scheme of section HVfR . as it implies a 
simple attack compromising IND-CPA securit}0 (whereas ||5] 
prove OW-CPA security). 

In this work we use a slightly modified version of the 
basic McEliece PKE scheme. Instead of sampling an error 
vector e by choosing it randomly from the set of vectors with 
Hamming-weight t, we generate e by choosing each of its 
bits according to the Bernoulli distribution Be with parameter 
9 = — e for some e > 0. Clearly, a simple argument based 
on the Chernoff bound gives us that the resulting error vector 
should be within the error capabilities of the code but for a 
negligible probability in n. The reason for using this error- 
distribution is that one of our proofs utilizes the fact that the 
concatenation ei|e2 of two Bernoulli-distributed vectors ei and 
e2 is again Bernoulli distributed. Clearly, it is not the case that 
ei|e2 is a uniformly chosen vector of Hamming-weight 2t if 
each ei and &2 are uniformly chosen with Hamming-weight t. 

Using the Bernoulli error-distribution, we base the security 
of our scheme on the pseudorandomness of the McEliece 
matrices G and the pseudorandomness of the learning parity 
with noise (LPN) problem (see below). 

D. McEliece Assumptions and Attacks 

In this subsection, we discuss the hardness assumptions for 
the McEliece cryptosystem. Let F n .t be a family of codes 
together with a generation-algorithm Generate„, f as above and 
let Gc be the corresponding generator-matrices. An adversary 
can attack the McEliece cryptosystem in two ways: either 
he can try to discover the underlying structure which would 
allow him to decode efficiently or he can try to run a generic 
decoding algorithm. This high-level intuition that there are 
two different ways of attacking the cryptosystem can be 
formalized l36l . Accordingly, the security of the cryptosystem 
is based on two security assumptions. 

The first assumption states that for certain families T n ,t, the 
distribution of generator-matrices Gc output by Generate™,* 
is pseudorandom. Let I be the dimension of the codes in T n ^- 

Assumption 4: Let Gc be distributed by 
(Gc,Decodec) <— Generate ?li () and R be distributed 
by R <- U(¥\* n ). For every PPT algorithm A it holds that 

| PrL4(G c ) = 1] - PrL4(R) = 1]| < negl(n). 

In the classical instantiation of the McEliece cryptosystem, 
J-" n f is chosen to be the family of irreducible binary Goppa- 
codes of length n = 2 m and dimension I = n — tm. For this 

'Neither is it possible for the scheme of 1281 . on which our fc-repetition 
McEliece scheme is based upon. 

2 The scheme of [28] encrypts by computing c = (m|s) ■ G © e). If G 
is in row-echelon form, m ® e' is a prefix of c, where e' is a prefix of e. 
Thus an IND-CPA adversary can distinguish between the encryptions of two 
plaintexts mo and mi by checking whether the prefix of c* is closer to mo 
or mi. 



instantiation, an efficient distinguisher was built for the case of 
high-rate codes |fl~2), lfl3l (i.e., codes where the rate are very 
close to 1). But, for codes that do not have a high-rate, no 
generalization of the previous distinguisher is known and the 
best known attacks [8], [24] are based on the support splitting 
algorithm [35] and have exponential runtime. Therefore, one 
should be careful when choosing the parameters of the Goppa- 
codes, but for encryption schemes it is possible to use codes 
that do not have high-rate. 

The second security assumption is the difficulty of the 
decoding problem (a classical problem in coding theory), or 
equivalently, the difficulty of the learning parity with noise 
(LPN) problem (a classical problem in learning theory). The 
best known algorithms for decoding a random linear code 
are based on the information set decoding technique [21 1, 
[22 1, 11371 . Over the years, there have been improvements in 
the running time Q, 0, El, 0, (26), 0], but the best 
algorithms still run in exponential time. 

Below we give the definition of LPN problem following the 
description of [28 1. 

Definition 5: (LPN search problem). Let s be a random 
binary string of length I. We consider the Bernoulli distribution 
Be with parameter 9 G (0, i). Let Q s ^ be the following 
distribution: 

{(a, (s,a) © e)\a <- {0, l} l ,e <- Be} 

For an adversary A trying to discover the random string s, 
we define its advantage as: 

Adv LPNe ^(/) = Pi[A Q -° =a\s<- {0, 1}'] 

The LPN e problem with parameter 9 is hard if the advantage 
of all PPT adversaries A that make a polynomial number of 
oracle queries is negligible. 

Katz and Shin |18] introduce a distinguishing variant of 
the LPN-problem, which is more useful in the context of 
encryption schemes. 

Definition 6: (LPNDP, LPN distinguishing problem). Let 
s,a be binary strings of length /. Let further Q s e be as in 
Definition [5] Let A be a PPT-adversary. The distinguishing- 
advantage of A between Q s g and the uniform distribution 
Ui + i is defined as 

AdVLPNDP e ,^t(0 = 

|Pr [A Qs - e = l|s <- {0, 1}'] - Pr [A Ul+1 = l] | 

The LPNDPg with parameter 9 is hard if the advantage of all 
PPT adversaries A is negligible. 

Further, [18] show that the LPN-distinguishing problem is 
as hard as the LPN search-problem with similar parameters. 

Lemma 1: (|18|) Say there exists an algorithm A making 
q oracle queries, running in time t, and such that 

Adv L pNDP e ,^(0 > 5 

Then there exists an adversary A' making q' = 0(qS~ 2 logl) 
oracle queries, running in time t 1 = 0(tl8~ 2 \ogl), and such 
that 

Adv L pN 8 ,^'(0 ^ 4 

The reader should be aware that in the current state of the 
art, the average-case hardness of these two assumptions, as 
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(m,t) plaintext size ciphertext size security (key) 
(10,50) 524 1024 491 
(11,32) 1696 2048 344 
(12,40) 3616 4096 471 

Fig. 1. A table of McEliece key parameters and security estimates taken 
from 1 1361 . 



well as all other assumptions used in public -key cryptography, 
cannot be reduced to the worst-case hardness of a NP-hard 
problem^] (and even if that was the case, we do not even 
know if V 7^ MV). The confidence on the hardness of solving 
all these problems on average-case (that is what cryptography 
really needs) comes from the lack of efficient solutions despite 
the efforts of the scientific community over the years. But 
more studies are, of course, necessary in order to better assess 
the difficulties of such problems. We should highlight that 
when compared to cryptosystems based on number- theoretical 
assumptions such as the hardness of factoring or of computing 
the discrete-log, the cryptosystems based on coding and lattice 
assumptions have the advantage that no efficient quantum 
algorithm breaking the assumptions is known. One should also 
be careful when implementing the McEliece cryptosystem as 
to avoid side-channel attacks |38l . 



E. Signature Schemes 

Now we define signature schemes (SS) and the security 
notion called one-time strong unforgeability. 

Definition 7: (Signature Scheme). A signature scheme is a 
triplet of algorithms (Gen, Sign, Ver) such that: 

« Gen is a probabilistic polynomial-time key generation 
algorithm which takes as input a security parameter 1™ 
and outputs a verification key vk and a signing key dsk. 
The verification key specifies the message space M and 
the signature space S. 

• Sign is a (possibly) probabilistic polynomial-time signing 
algorithm which receives as input a signing key dsk and 
a message m e M, and outputs a signature a 6 S. 

• Ver is a deterministic polynomial-time verification al- 
gorithm which takes as input a verification key vk, a 
message m G M and a signature a G S, and outputs 
a bit indicating whether a is a valid signature for m or 
not (i.e., the algorithm outputs 1 if it is a valid signature 
and outputs otherwise). 

• (Completeness) For any pair of signing and verification 
keys generated by Gen and any message m G M it holds 
that Ver(vk, m, Sign(dsk, m)) = 1 with overwhelming 
probability over the randomness used by Gen and Sign. 

Definition 8: (One-Time Strong Unforgeability). To a two- 
stage adversary A = (Ai,A2) against SS we associate the 
following experiment. 

3 Quite remarkably, some lattice problems enjoy average-case to worst-case 
reductions, but these are not for problems known to be NP-hard. 



Expgg£(n): 

(vk,dsk) <- Gen(l n ) 

(m, state) <— Ai(vk) 

a <— Sign(dsk, m) 

(m*, a*) <— A 2 (m, a, state) 

If Ver(vk, m*, a*) = 1 and (m*,<7*) ^ (m,cr) return 
1, else return 

We say that a signature scheme SS is one-time strongly 
unforgeable if for all probabilist polynomial-time (PPT) ad- 
versaries A = (Ai,A2) the probability that Expg S s ^(n) 
outputs 1 is a negligible function of n. One-way functions 
are sufficient to construct existentially unforgeable one-time 
signature schemes [20|, 11271 . 

III. fc-REPETITION PKE 

A. Definitions 

We now define a fc-repetition Public-Key Encryption. 

Definition 9: (fc-repetition Public-Key Encryption). For a 
PKE (Gen, Enc, Dec) and a randomized encoding-function E 
with a decoding-function D, we define the fc-repetition public- 
key encryption scheme (PKE&) as the triplet of algorithms 
(Genfe, Encfe, Dec/j) such that: 

• Genfe is a probabilistic polynomial-time key generation 
algorithm which takes as input a security parameter 
1™ and calls PKE's key generation algorithm fc times 
obtaining the public-keys (pk 1 ,...,pk fe ) and the secret- 
keys (ski, . . . , skfe). Genfe sets the public-key as pk = 
(pk x , . . . , pk k ) and the secret-key as sk = (ski, . . . , sk^). 

• Enc/c is a probabilistic polynomial-time encryption al- 
gorithm which receives as input a public -key pk = 
(pk 1; . . . , pk k ), a message m G Ai and coins s and 
ri, . . . , ffe, and outputs a ciphertext c = (ci, . . . , Cfe) = 
(Enc(pk 1; E(m; s);n), . . . , Enc(pk fc , E(m; s);r k j). 

• Dec/j is a deterministic polynomial-time decryption 
algorithm which takes as input a secret- 
key sk = (ski, . . . , skfc) and a ciphertext 
c = (ci,...,Cfc). It outputs a message m if 
D(Dec(ski, Ci)), . . . , D(Dec(skfe, 0^)) are all equal 
to some m G A4. Otherwise, it outputs an error symbol 
J_. 

• (Completeness) For any fc pairs of public and secret-keys 
generated by Qen k and any message m G M it holds 
that Decfe(sk, Encfe(pk, m)) = m with overwhelming 
probability over the random coins used by Gen^ and 
Enc fc . 

We also define security properties that the fc-repetition 
Public-Key Encryption scheme used in the next sections 
should meet. 

Definition 10: (Security under uniform fc-repetition of en- 
cryption schemes). We say that PKE k (built from an encryp- 
tion scheme PKE) is secure under uniform fc-repetition if 
PKE fc is IND-CPA secure. 

Definition 11: (Verification under uniform fc-repetition of 
encryption schemes). We say that PKE^, is verifiable under 
uniform fc-repetition if there exists an efficient deterministic 
algorithm Verify such that given a ciphertext c G C, the public- 
key pk = (pk l7 . . . , pk fc ) and any sk^ for i G {!,..., fc}, it 
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holds that if Verify(c, pk, skj) = 1 then Decfe(sk,c) = m for 
some m (i.e. c decrypts to a valid plaintext). 

Notice that for the scheme PKEfe to be verifiable, the 
underlying scheme PKE cannot be IND-CPA secure, as the 
verification algorithm of PKEfe implies an efficient IND-CPA 
adversary against PKE. Thus, we may only require that PKE 
is OW-CPA secure. 

B. IND-CCA2 Security from verifiable IND-CPA Secure k- 
repetition PKE 

In this subsection we construct the IND-CCA2 secure 
public -key encryption scheme (PKE CCQ 2) and prove its se- 
curity. We assume the existence of an one-time strongly 
unforgeable signature scheme SS = (Gen, Sign, Ver) and of a 
PKEfe that is secure and verifiable under uniform fc-repetition. 

We use the following notation for derived keys: For a public- 
key pk = (pk", pkj, . . . , pk", pkj.) and a fc-bit string vk we 
write pk vk = (pk^ kl , . . . , pk^ kfc ). We will use the same notation 
for secret-keys sk. 

• Key Generation: Gen CCQ 2 is a probabilistic 
polynomial-time key generation algorithm which 
takes as input a security parameter 1". Gen cca 2 
calls PKE's key generation algorithm 2k times 
to obtain public-keys pk", pkj, . . . , pk", pk^ and 
secret-keys sk", skj, . . . , sk", sk fe . It sets pk = 

(pk? 1 pki,... J pk£ ) pk£). sk - (sk;,ski,... 1 sk£,sk£) 

and outputs pk, sk) 

• Encryption: Enc cca 2 is a probabilistic polynomial-time 
encryption algorithm which receives as input the public- 
key pk = (pk", pk\, . . . , pk", pk^) and a message m 6 
M. and proceeds as follows: 

1) Executes the key generation algorithm of the sig- 
nature scheme obtaining a signing key dsk and a 
verification key vk. 

2) Compute c' = Encfc(pk vk , m; r) where r are random 
coins. 

3) Computes the signature a — Sign(dsk, c'). 

4) Outputs the ciphertext c = (c', vk, a). 

• Decryption: Dec cca 2 is a deterministic polynomial-time 
decryption algorithm which takes as input a secret- 
key sk = (sk", sk\, . . . , sk", sk^) and a ciphertext c = 
(c',vk,er) and proceeds as follows: 

1) If Ver(vk, c', a) = 0, it outputs _L and halts. 

2) It computes and outputs m = Decfe(sk vk , c'). 
Note that if c' is an invalid ciphertext (i.e. not all decrypt 

to the same plaintext), then Dec cca 2 outputs _L as DeCfc outputs 
_L 

As in [33 1, we can apply a universal one-way hash function 
to the verification keys (as in [10]) and use k = n e for 
a constant < e < 1. Note that the hash function in 
question need not be modeled as a random oracle. For ease 
of presentation, we do not apply this method in our scheme 
description. 

Theorem 1: Given that SS is an one-time strongly unforge- 
able signature scheme and that PKEfe is IND-CPA secure and 
verifiable under uniform fc-repetition, the public -key encryp- 
tion scheme PKE cca 2 is IND-CCA2 secure. 



Proof: In this proof, we closely follow ll33l . Denote by 
A the IND-CCA2 adversary. Consider the following sequence 
of games. 

. Game 1 This is the IND-CCA2 game. 

• Game 2 Same as game 1, except that the signature-keys 
(vk*,dsk*) that are used for the challenge-ciphertext c* 
are generated before the interaction with A starts. Further, 
game 2 always outputs _L if A sends a decryption query 
c = (c', vk, a) with vk = vk*. 

We will now establish the remaining steps in two lemmata. 

Lemma 2: It holds that viewG a mei(-4) « c viewGame2(-4), 
given that (Gen, Sign, Ver) is an one-time strongly unforgeable 
signature scheme. 

Proof: Given that A does not send a valid decryption 
query c = (c', vk, a) with vk = vk* and c ^ c*, A's views in 
game 1 and game 2 are identical. Thus, in order to distinguish 
game 1 and game 2 A must send a valid decryption query 
c = (c',vk, a) with vk = vk* and c ^ c*. We will use 
A to construct an adversary B against the one-time strong 
unforgeability of the signature scheme (Gen, Sign, Ver). B 
basically simulates the interaction of game 2 with A, however, 
instead of generating vk* itself, it uses the vk* obtained from 
the one-time strong unforgeability experiment. Furthermore, 
B generates the signature a for the challenge-ciphertext c* 
by using its signing oracle provided by the one-time strong 
unforgeability game. Whenever A sends a valid decryption 
query c = (c',vk, a) with vk = vk* and c / c*, S termi- 
nates and outputs (c',er). Obviously, A's output is identically 
distributed in Game 2 and £>'s simulation. Therefore, if A 
distinguishes between game 1 and game 2 with non-negligible 
advantage e, then £>'s probability of forging a signature is 
also e, thus breaking the one-time strong unforgeability of 
(Gen, Sign, Ver). ■ 

Lemma 3: It holds that AdvG a me2(^4) is negligible in the 
security parameter, given that PKEfe is verifiable and IND- 
CPA secure under uniform k-repetition. 

Proof: Assume that AdvG a me2(-4) > e for some non- 
negligible e. We will now construct an IND-CPA adver- 
sary B against PKEfe that breaks the IND-CPA security of 
PKEfe with advantage e. Instead of generating pk like game 
2, B proceeds as follows. Let pk* = (pkj, . . . , pk*,) be 
the public-key provided by the IND-CPA experiment to B. 
B first generates a pair of keys for the signature scheme 
(vk*,dsk*) <— Gen(l"). Then, the public -key pk is formed 
by setting pk vk = pk*. All remaining components pk^ of 
pk are generated by (pk^,sk^) <— Gen(l"), for which B 
stores the corresponding sk^. Clearly, the pk generated by B 
is identically distributed to the pk generated by game 2, as 
the Gen-algorithm of PKEfe generates the components of pk 
independently. Now, whenever A sends a decryption query 
c = (c',vk,er), where vk ^ vk* (decryption queries with 
vk = vk* are not answered by game 2), B picks an index 
i with vk; ^ vk* and checks if Verify(c', pk, sk^ ki ) = 1, if 
not it outputs _L. Otherwise it computes m = D(Dec(sk i7 c^)). 
Verifiability guarantees that it holds that DeCfe(sk vk , c') = m, 
i.e. the output m is identically distributed as in game 2. 
When A sends the challenge-messages mo, mi, B forwards 
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mo, mi to the IND-CPA experiments and receives a challenge- 
ciphertext c*'. B then computes a = Sign(dsk*, c*') and sends 
c* = (c*',vk*,cr) to A. This c* is identically distributed 
as in game 2. Once A produces output, B outputs whatever 
A outputs. Putting it all together, A's views are identically 
distributed in game 2 and in the simulation of B. Therefore 
it holds that AdviND-cPA(£>) = MvGame2(A) > £■ Thus B 
breaks the IND-CPA security of PKE^ with non-negligible 
advantage e, contradicting the assumption. ■ 
Plugging Lemma [2] and Lemma [3] together immediately 
establishes that any PPT IND-CCA2 adversary A has at most 
negligible advantage in winning the IND-CCA2 experiment 
for the scheme PKE cca 2- ■ 

IV. A Verifiable ^-repetition McEliece Scheme 

In this section, we will instantiate a verifiable 
A: -repetition encryption scheme PKEMcE.k = 
(GenwicE.k, EncMcE,k, DecMcE.k) based on the McEliece 
cryptosystem. 

In ll28l it was proved that the cryptosystem obtained by 
changing the encryption algorithm of the McEliece cryptosys- 
tem to encrypt s|m (where s is random padding) instead of 
just encrypting the message m (the so called Randomized 
McEliece cryptosystem) is IND-CPA secure, if \s\ is chosen 
sufficiently large for the LPNDP to be hard (e.g. linear in the 
security-parameter n). We will therefore use the randomized 
encoding-function E(m;s) = s|m (with \s\ £ 17 (n)) in our 
verifiable fc-repetition McEliece scheme. As basis scheme 
PKE for our verifiable fc-repetition McEliece scheme we use 
the OW-CPA secure textbook McEliece with a Bernoulli error- 
distribution. 

The verification algorithm Verifiy McE (c, pk, sk,) works as 
follows. Given a secret-key sk^ from the secret-key vector sk, it 
first decrypts the i-th component of c by x = DecM C E(ski, Cj). 
Then, for all j = 1, . . . , k, it checks whether the vectors 
Cj ffi xGj have a Hamming-weight smaller than t, where 
Gj is the generator-matrix given in pk^. If so, Verify McE 
outputs 1, otherwise 0. Clearly, if Verify McE accepts, then all 
ciphertexts Cj are close enough to the respective codewords 
xGj, i.e. invoking DecM C E(skj, Cj) would also output x. There- 
fore, we have that Verifiy McE (c, pk, sk,) = 1, if and only if 
DecMcE,k(sk, c) = m for some m £ M.. 

A. Security of the k-repetition Randomized McEliece 

We now prove that the modified Randomized McEliece is 
IND-CPA secure under fc-repetition. 

By the completeness of each instance, the probability that 
in one instance i G {1, . . . , fc} a correctly generated ciphertext 
is incorrectly decoded is negligible. Since fc is polynomial, it 
follows by the union bound that the probability that a correctly 
generated ciphertext of PKE^ mcE is incorrectly decoded 
is also negligible. So PKE^McE meets the completeness 
requirement. 

Denote by Ri , . . . , R& random matrices of size I x n, by 
Gi,...,Gfc the public -key matrices of the McEliece cryp- 
tosystem and by ei, . . . , e& the error vectors. Define l\ = |s| 
and I2 = |m|. Let R^i and R,^ be the l\ x n and 1% x n 



sub-matrices of R^ such that R^" = RTJR^, Define Gj.i 
and Gj 2 similarly. 

Lemma 4: The scheme PKEmcE.A; is IND-CPA secure, 
given that both the McEliece assumption and the LPNDP 
assumption hold. 

Proof: Let A be an IND-CPA adversary against 
PKEmcE,*;- Consider the following three games. 

. Game 1 This is the IND-CPA game. 

• Game 2 Same as game 1, except that the components 
pk 4 of the public -key pk are computed by pk ; = 
(Ki,t,M,C) instead of pk 4 = (Gi,t,M,C), where Ri 
is a randomly chosen matrix of the same size as G; 

• Game 3 Same as game 2, except that the components 
Ci of the challenge-ciphertext c* are not computed by 
Cj = (s|m)Rj©ej but rather chosen uniformly at random. 

Indistinguishability of game 1 and game 2 follows by a 
simple hybrid-argument using the McEliece assumption, we 
omit this for the sake of brevity. The indistinguishability of 
game 2 and game 3 can be established as follows. First 
observe that it holds that Cj = (s|m)Rj © = (sR^i © 
e,) ffi mR ij2 for i = 1, . . . , k. Setting Ri = Ri,i| . . . , |Rfe,i, 
R2 = Ri,2| • • • , |Rfc,2 and e = ei | . . . | e^, we can write 
c* = (sRi ffi e) ffi mR 2 . Now, the LPNDP assumption 
allows us to substitute sRi ffi e with a uniformly random 
distributed vector u, as s and Ri are uniformly distributed 
and e is Bernoulli distributed. Therefore c* = u ffi IT1R2 is 
also uniformly distributed. Thus we have reached game 3. 
A's advantage in game 3 is obviously 0, as the challenge- 
ciphertext c* is statistically independent of the challenge bit 
b. This concludes the proof. ■ 

V. Generalized Scheme 

As in [33], it is possible to generalize the scheme to encrypt 
correlated messages instead of encrypting fc times the same 
message m. In this Section, we show that a similar approach 
is possible for our scheme, yielding an IND-CCA2 secure 
McEliece variant that has asymptotically the same ciphertext 
expansion as the efficient IND-CPA scheme of [19]. We now 
present a generalized version of our encryption scheme using 
a correlated plaintext space. 

A. Definitions 

Definition 12: (r-Correlated Messages) We call a tuple of 
messages (mi, . . . , rrifc) r-correlated for some constant < 
7 < 1 and r = (1 — j)k, if given any r messages of tuple it 
is possible to efficiently recover all the messages. We denote 
the space of such messages tuples by A^cor- 

Basically, r-correlated messages can be erasure-corrected. 
Now we define a correlated public -key encryption scheme. 

Definition 13: (Correlated Public-Key Encryption). For a 
PKE (Gen, Enc, Dec) and a randomized encoding-function 
E that maps from the plaintext-space M to the correlated 
plaintext-space .Mcor (with corresponding decoding-function 
D), we define the correlated public-key encryption scheme 
(PKEcor) as the triplet of algorithms (Gencor, Encc or , Deccor) 
such that: 
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> Gencor is a probabilistic polynomial-time key generation 
algorithm which takes as input a security parameter 
1" and calls PKE's key generation algorithm k times 
obtaining the public -keys (pk l5 . . . , pk fc ) and the secret- 
keys (ski, . . . , sk/.). Gencor sets the public -key as pk = 
(pk l5 . . . , pk fc ) and the secret-key as sk = (ski, . . . , sk^). 

> Enccor is a probabilistic polynomial-time encryption al- 
gorithm which receives as input a public-key pk = 
(pk 1( . . . , pk fc ) and a message m € A4. The algo- 
rithm computes m = (mi, . . . , rhfe) = E(m;s) (with 
fresh random coins s) and outputs the ciphertext c = 
(ci, . . . , cjfe) = (Enc(pki, mi), ... , Enc(pk fc , mfe)). 

• Deccor is a deterministic polynomial-time decryption 
algorithm which takes as input a secret-key sk = 
(ski, • ■ • i skfc) and a ciphertext c = (ci, . . . , Cfc). It first 
computes a tuple m = (nii,...,mfe) G Mcor, outputs 
m = D(rh)ifmG .Mcor. if not it outputs an error symbol 
_L 

• (Completeness) For any k pairs of public and 
secret-keys generated by Genc or and any message 
m = (mi,..., mfe) G Mcor it holds that 
Deccor(sk, Enccor(pk, m)) = m with overwhelming prob- 
ability over the randomness used by Gencor and Enccor- 

We also define security properties that the Correlated Public- 
Key Encryption scheme used in the next sections should meet. 

Definition 14: (Security of Correlated Public-Key Encryp- 
tion). We say that PKEcor (built from an encryption scheme 
PKE) is secure if PKE Co r is IND-CPA secure. 

Definition 15: (r- Verification). We say that PKEc or is T- 
verifiable if the exists a efficient deterministic algorithm 
Verify, such that given a ciphertext c e C, the public- 
key pk = (pki, . . . , pkfe) and any r distinct secret-keys 
sk T = (sk tl , . . . ,sk t J (with T = {ti, . .. ,t T }), it holds that 
if Verify(c, pk,T, sk^) = 1 then Decc or (sk,c) = m for some 
m t^_L (i.e. c decrypts to a valid plaintext). 

B. IND-CCA2 Security from IND-CPA Secure Correlated PKE 

We now describe the IND-CCA2 secure public-key encryp- 
tion scheme (PKE' CCQ 2) built using the correlated PKE and 
prove its security. We assume the existence of a correlated 
PKE, PKEcor, that is secure and r-verifiable. We also use 
an error correcting code ECC : Y, 1 —> E fc with minimum 
distance t and polynomial-time encoding. Finally, we assume 
the existence of an one-time strongly unforgeable signature 
scheme SS = (Gen, Sign, Ver) in which the verification keys 
are elements of Y, 1 (we assumed that the verification keys 
are elements of T, 1 only for simplicity, we can use any 
signature scheme if there is a injective mapping from the set 
of verification keys to £ ). 

We will use the following notation: For a codeword d = 
(di,...,dfe) € ECC, set pk d = (pk dl , . . . , pk dfc ). Analogously 
for sk. 

• Key Generation: Gen' cca 2 is a probabilistic polynomial- 
time key generation algorithm which takes as input a 
security parameter 1™. Gen' cca 2 proceeds as follows. It 
calls PKE's key generation algorithm E|fc times obtain- 
ing the public-keys (pk*, . . . , pk] , . . . , pk 1 ,, . . . , pkJ. E ') 
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and the secret-keys (sk x , . . . , sk^ , . . . , sk kl . . . , skj, '). 
Outputs pk = (pk],...,pki pk^, pkl ) and 
sk = (ski, . . . , sk] ^ * ■ • ' ^kfc' • • • , ski 
« Encryption: Enc' cca 2 is a probabilistic polynomial-time 
encryption algorithm which receives as input the public- 
key pk = (pk},...,pk^',...,pk fc ,...,pkjf l ) and a 
message m = (mi,..., mfe) 6 M and proceeds as 
follows: 

1) Executes the key generation algorithm of the signa- 
ture scheme SS obtaining a signing key dsk and a 
verification key vk. Computes d = ECC(vk). Let di 
denote the i-element of d. 

2) Computes c' = Encc r(pk d , m). 

3) Computes the signature a = Sign(dsk, c'). 

4) Outputs the ciphertext c = (c', vk, a). 

* Decryption: Dec' cca 2 is a deterministic polynomial-time 
decryption algorithm which takes as input a secret-key 

1 I S I 1 I £ I 

sk = (sk] , . . . , sk] , . . . , skfe , . . . , skL ) and a ciphertext 
c = (c',vk, a) and proceeds as follows: 

1) If Ver(vk, c', a) = 0, it outputs 1 and halts. Other- 
wise, it performs the following steps. 

2) Compute d = ECC(vk). 

3) Compute m = Decc or (sk d , c) and output m. 
Theorem 2: Given that SS is an one-time strongly unforge- 
able signature scheme and that PKEc or is secure and r- 
verifiable, the public -key encryption scheme PKE' cca 2 is IND- 
CCA2 secure. 

Proof: The proof is almost identical to the proof of 
theorem Q] Denote by A the IND-CCA2 adversary. Consider 
the following two of games. 

. Game 1 This is the IND-CCA2 game. 

• Game 2 Same as game 1, except that the signature-keys 
(vk*,dsk*) that are used for the challenge-ciphertext c* 
are generated before the interaction with A starts. Further, 
game 2 terminates and outputs _L if ^4. sends a decryption 
query with c = (c', vk, a) with vk = vk*. 

Again, we will split the proof of Theorem|2]in two lemmata. 

Lemma 5: From A's view, game 1 and game 2 are com- 
putationally indistinguishable, given that SS is an existentially 
unforgeable one-time signature-scheme. 

We omit the proof, since it is identical to the proof of lemma 

m 

Lemma 6: It holds that AdvG a me2(^4) is negligible in the 
security parameter, given that PKEc or is verifiable IND-CPA 
secure correlated public -key encryption scheme. 

Proof: We proceed as in the proof of Lemma [3] Assume 
that AdvGame2(-4) > e for some non-negligible e. We will now 
construct an IND-CPA adversary B against PKEc or that breaks 
the IND-CPA security of PKEcor with advantage e. Again, 
instead of generating pk like game 2, B will construct pk using 
the public-key pk' provided by the IND-CPA experiment. Let 
d = ECC(vk*). B sets pk d = pk*. All remaining components 
pk^ of pk are generated by (pk^,sk^) 4— Gen(l"), for which 
B stores the corresponding sk^. Obviously, the pk generated 
by B is identically distributed to the pk generated by game 
2, as in both cases all components are pk^ are generated 
independently by the key-generation algorithm Gen of PKE. 
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Whenever A sends a decryption query with vk ^ vk*, B 
does the following. Let d = ECC(vk) and d* = ECC(vk*). 
Since the two codewords d and d* are distinct and the code 
ECC has minimum-distance r, there exist a r-set of indices 
T C {1, . . . , k} such that it holds for all i e T that d t ^ d*. 
Thus, the public -keys pk dt , for t £ T were generated by 
B and it thus knows the corresponding secret-keys sk^ * . B 
checks if Verify(c', pk d , T, sky) = 1 holds, i.e. if c' is a 
valid ciphertext for PKEc or under the public-key pk d . If so, B 
decrypts m T = (m t |t € T) = (Dec(sk dt , c' t )\t e T). Since the 
plaintext-space A^cor is r-correlated, B can efficiently recover 
the whole message m from the r-submessage rfiT- Finally, B 
decodes m = D(m) to recover the message m and outputs m 
to A. Observe that the verifiability -property of PKEc or holds 
regardless of the subset T used to verify. Thus, from A's view 
the decryption-oracle behaves identically in game 2 and in B's 
simulation. 

Finally, when A sends its challenge messages mo and 
mi, B forwards mo and mi to the IND-CPA experiment 
for PKEcor and receives a challenge-ciphertext c*'. B then 
computes a = Sign(sk*, c*') and outputs the challenge- 
ciphertext c' = (c*',vk*,er) to A. When A generates an 
output, B outputs whatever A outputs. 

Putting it all together, „4'S views are identically distributed 
in game 2 and B's simulation. Therefore, it holds that 
AdviND-cPA(-S) = Adv game 2(^l) > e. Thus, B breaks the 
IND-CPA security of PKEc or with non-negligible advantage 
e, contradicting the assumption. ■ 

Plugging Lemma [5] and Lemma [6] establish that any PPT 
IND-CCA2 adversary A has at most negligible advantage in 
winning the IND-CCA2 experiment for the scheme PKE£. ca2 . 



C. Verifiable Correlated PKE based on the McEliece Scheme 

We can use a modified version of the scheme presented 
in Section [TV] to instantiate a r-correlated verifiable IND- 
CPA secure McEliece scheme PKEmcE.Cot- A corresponding 
IND-CCA2 secure scheme is immediately implied by the 
construction in Section IV-BI As plaintext-space .Mcor for 
PKEmcE. Cor, we choose the set of all tuples (s|yi, . . . , s|yfe), 
where s is a n-bit string and (yi,--.,yfc) is a codeword 
from code C that can efficiently correct k — r erasures. 
Clearly, M.c or is r-correlated. Let Ec be the encoding-function 
of C and Dc the decoding-function of C. The randomized 
encoding-function EMcE.Cor used by PKEMcE.Cor proceeds as 
follows. Given a message m and random coins s, it first 
computes (yi,...,yjfc) = E c (m) and outputs (s|yi, . . . , s|y fc ). 
The decoding-function DMcE.Cor takes a tuple (s|yi, . . . , s|yfc) 
and outputs Dc(yi, • • • , yfe). Like in the scheme of Section JV] 
the underlying OW-CPA secure encryption-scheme PKE is 
textbook-McEliece. 

The r-correlatedness of PKEMcE.Cor follows directly by 
the construction of Mc or , EMce,Cor an d Divice.Cor- It remains 
to show verifiability and IND-CPA security of the scheme. 
The VerifyMcE-algorithm takes a ciphertext c = (ci, . . . , Cfc), 
a public-key pk, an a partial secret-key skx (for a r-sized 
index-set T) and proceeds as follows. First, it decrypts the 



components of c at the indices of T, i.e. it computes x t = 
DecMcE(sk t , Cj) for t € T. Then, it checks whether all x t 
are of the form x t = s|y t for the same string s. If not, it 
stops and outputs 0. Next, it constructs a vector y G E fc 
with yj = yi for i £ T and y^ =_L (erasure) for i ^ T. 
Verify then runs the erasure-correction algorithm of C on y. If 
the erasure-correction fails, it stops and outputs 0. Otherwise 
let y = (yi, . . . , y^) be the corrected vector returned by the 
erasure-correction. Then, Verify sets x = (s|yi, . . . , s|y^). Let 
Gi, . . . , Gfc be the generator-matrices given in pk x , . . . , pk fe . 
Finally, Verify checks whether all the vectors Cj S3 xGj, for 
j = 1, . . . , k, have Hamming-weight smaller than t. If so, it 
outputs 1, otherwise 0. Clearly, if VerifyMcE outputs 1, then the 
ciphertext-components Cj of c are valid McEliece encryptions. 

The IND-CPA-security is proven analogously to Lemma 
|4] First, the McEliece generator-matrices Gi are replaced 
by random matrices R^, then, using the LPNDP-assumption, 
vectors of the form sR^ ©e^ are replaced by uniformly random 
vectors u^. Likewise, after this transformation the adversarial 
advantage is 0. 
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